diff options
-rw-r--r-- | sos/plugins/selinux.py | 29 |
1 files changed, 8 insertions, 21 deletions
diff --git a/sos/plugins/selinux.py b/sos/plugins/selinux.py index c3501eec..d35010a7 100644 --- a/sos/plugins/selinux.py +++ b/sos/plugins/selinux.py @@ -17,30 +17,17 @@ from sos.plugins import Plugin, RedHatPlugin class selinux(Plugin, RedHatPlugin): """selinux related information """ + option_list = [("fixfiles", 'Print incorrect file context labels', 'slow', False)] + packages = ('libselinux',) + def setup(self): # sestatus is always collected in check_enabled() self.add_copy_spec("/etc/selinux") if self.get_option('fixfiles'): - self.add_cmd_output("fixfiles check") - self.add_forbidden_path("/etc/selinux/targeted") - - if not self.policy().pkg_by_name('setroubleshoot'): - return + self.add_cmd_output("fixfiles -v check") + self.add_cmd_output("sestatus -b") + self.add_cmd_output("selinuxdefcon root") + self.add_cmd_output("selinuxconlist root") + self.add_cmd_output("selinuxexeccon /bin/passwd") - # Check for SELinux denials and capture raw output from sealert - if self.policy().default_runlevel() in self.policy().runlevel_by_service("setroubleshoot"): - # TODO: fixup regex for more precise matching - sealert=do_regex_findall(r"^.*setroubleshoot:.*(sealert\s-l\s.*)","/var/log/messages") - if sealert: - for i in sealert: - self.add_cmd_output("%s" % i) - self.add_alert("There are numerous selinux errors present and "+ - "possible fixes stated in the sealert output.") - def check_enabled(self): - try: - if self.get_cmd_output_now("sestatus", root_symlink = "sestatus").split(":")[1].strip() == "disabled": - return False - except: - pass - return True |